What are your thoughts on security ethics?

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

What are your thoughts on security ethics?

Post by flying_circus »

Suppose you're sitting around drinking beer one evening and purusing craigslist looking for a quick and easy web development contract. You find an interesting listing and the company name is listed, so you google them and start reading about the company and what they do. As you're reading, you notice a login box. Out of sheer boredom and perhaps a little curiosity of the companys current level of security, you enter the first thing that comes to mind. Next thing you know, you're looking at a screen that says "You are logged in as *' OR 1='1".


Suppose, someday, that you find yourself in this position... Would you notify the company? It would seem like the right thing to do. Would you take an anonymous approach by registering a fake email or just walk right in the front door and say "we need to talk". Obviously, either method has pros and cons...

Comments welcome and encouraged. :drunk:
User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Re: What are your thoughts on security ethics?

Post by Jonah Bron »

How about tell them and offer to do it? :)
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: What are your thoughts on security ethics?

Post by pickle »

The appeal is to tell them about it & take credit for finding it. Unfortunately there's precedent where the company then sues the "hacker" - usually those companies are really stupid & led by fear. I guess it would depend on the company, but I would imagine in most cases, a simple email that says: "Hey - you have a security hole here, and the result can be XYZ", will be met with a "thanks" and possibly a "wanna help?".
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
greyhoundcode
Forum Regular
Posts: 613
Joined: Mon Feb 11, 2008 4:22 am

Re: What are your thoughts on security ethics?

Post by greyhoundcode »

I accidentally stumbled across something like this - simply by using an apostrophe in a textarea, I seem to remember. I did indeed let that organisation know and offered my services. The reply was a polite, "Thanks - but we'll let our developer know." Fair enough.

From an ethical standpoint of course that is slightly different to deliberately testing their security and, ethically speaking, I'm not sure where I stand on this one: so long as there is no intention to cause damage or steal information ... after all, doesn't criminality rest largely upon intent? Hmm, quite a tough question.

Anyway, replacing my professor-of-ethics hat with my business one, these days it would be a clear decision not to do anything that could be construed as hacking, regardless of the intention - or at the very least I would not draw attention to the fact.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: What are your thoughts on security ethics?

Post by John Cartwright »

I would love to see an organization try to sue me for hacking based on the fact I triggered a simple SQL injection. It just won't happen. Nor will you be liable if their system cannot defend accidental and plausible scenarios.

Yours,
(Not a lawyer) Jcart
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: What are your thoughts on security ethics?

Post by pickle »

We're Canadian though ~Jcart, what doesn't fly up here may have wings in the States.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: What are your thoughts on security ethics?

Post by social_experiment »

I'd go for the anonymous route, my reasoning is similar to what pickle mentioned. Few website owners care to find out about how their site measures up in the security department and there are constant buzzes about 'hacker this' and 'hacker that' so paranoia amounts among un-educated users are at an all time high imo. Maybe your email reaches them just as they spill their coffee and suddenly it's your fault :/
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: What are your thoughts on security ethics?

Post by John Cartwright »

Agreed, I should have been more clear on that. Again, I'm not a lawyer and I do not fully understand laws outside of Canada.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: What are your thoughts on security ethics?

Post by social_experiment »

In the European Union cyber crime law is primarily based on the Council of Europe’s Convention on cyber crime (November 2001). South Africa has signed but did not ratify the Convention. Under the convention, member states are obliged to criminalize:
1. Illegal access to computer system,
2. Illegal interception of data to a computer system,
3. Interfering with computer system without right, intentional interference with computer data without right,
4. The use of inauthentic data with intent to put it across as authentic (data forgery),
5. Infringement of copyright related rights online,
6. Interference with data or functioning of computer system,
7. Child pornography related offences (possession/distribution/procuring/producing of child pornography).
I did a quick search of cyberlaws in south africa and it looks, to me, that entrance gained, even accidentally (yet still illegally by common sense standards) will be a bit of a bother for you. To my reasoning, (or in defence of said accidental entry) the onus would be on the person / company who owns the site / server to prove that it was an intentional attempt at breaking / entering / violating data. But like John Cartwright, i'm not lawyer and this is pure speculation.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: What are your thoughts on security ethics?

Post by flying_circus »

It's interesting to see the variety of responses here.

You know... I had typed a reply to this thread but I just deleted it all. I thought about the crazy world we live in, driven by fear of the unknown and the bliss of ignorance. I like to think I am a well intentioned person, I'm honest, and I certainly dont wish harm or damage upon anyone. More than anything, I just like to help.

Outside my development world, I love wings and parachutes. I have come to terms that when I want to jump off a building or other restricted object, I need to research the object, and likely circumvent security, but I'm not willing to cause damage in the process. In almost all cases, I would think the object owner would say no, and then heighten security, so I dont notify them. Lastly I don't spread the details of the site, leave a trace, or make a move where I can been seen.

Damn, those kids were right, BASE jumping has touched my life in ways I never imagined...

For me this choice should be simple. I haven't caused any damage or left any trace, and there is no reward for jumping it again. If they fix the lock and someone in the future finds another way in, atleast my conscience won't be eating at me.

I'm going to tell them, but do so anonymously.
Post Reply